While working on several articles about the WannaCry attacks for my job as a cybersecurity journalist, I learned about LulzSec, which was one of the most notable attacks of the 2010s. I wanted to know more about the group that launched major cybersecurity attacks on many big name companies in a chaotic 50 days in 2011.
The group’s impact wasn’t as obvious as WannaCry’s impact, but examining what happened can teach us about the attackers’ motivations and methods. In the years since the incident there has been a Count of copycat attacks that mimic LulzSec’s by using memes, public relations, social media, and other attention-grabbing tactics as part of their overall strategy.
Cyber attacks that insult and embarrass businesses
It began in early May 2011 with Fox News criticizing rapper Common. In response, a newly formed group of six people, calling themselves LulzSec, hacked into Fox.com. They then leaked private information about X Factor contestants — more than 73,000 names and profiles, The Guardian reported. And in a style that would be a trademark of their attacks, LulzSec sent a message: “We don’t like you very much. Therefore, we cordially invite you to kiss our handcrafted Crescent Fresh asses.”
This first attack set the stage and made it clear that the public face of these attacks would be different from many previous cyberattacks. It started with the group’s publicly proclaimed motto: “This is the internet where we shag each other for a jerk of gratification.” Instead of focusing on monetary gains or stealing personal information to use in fraud, these attackers appeared Wanting to embarrass companies by finding vulnerabilities (although that probably wasn’t much consolation for those whose information was actually compromised). The group also appeared, insulting the violators with mocking tweets and memes aimed at the companies they attacked.
After LulzSec stole bank account details from over 3,100 ATMs in the UK on May 15th, it hit Sony Japan on May 23rd, firing off many of their most famous tweets. A tweet was sent during an attack and read: “Hey @Sony, do you know we’re walking away with a bunch of your internal stuff and you didn’t even notice?? Slow and steady guys.” And in case there were any questions about their motives, LulzSec specifically stated in a tweet following their attack on Sony that they “just want to embarrass Sony more”.
Laugh about cyber security
LulzSec was a small group of hackers that formed as a subgroup of the Anonymous Hackers Group and chose the name Lulz as a nod to “lol,” meaning laugh out loud, and “Sec” for security. One of the group members, credited as Whirlpool, gave several interviews and said that the group does not seek attention or notoriety. In an interview with Forbes, he said: “We like to make people laugh. We have a lot of energy for it.”
LulzSec used a mix of different attack types in their efforts. Many of the incidents were denial of service attacks, preventing users from using their credentials to gain access to corporate servers. The group also used SQL injections to find vulnerabilities that allowed them to access and steal information, such as B. the personal data of the X-Factor participants. However, what is often overlooked is that the group also used cross-site scripting (XSS) and remote file inclusion (RFI) attacks.
PBS, the FBI and the whistleblower
Anonymous hacking groups often publicly presented their activities as “retaliation” for problems related to WikiLeaks or “internet freedom”. In line with this public agenda LulzSec targeted PBS after the network published a negative broadcast about WikiLeaks. LulzSec stole PBS’s passwords and published a fake story claiming that New Zealand rappers Tupac Shakur and Biggie Smalls were very much alive instead of dead.
After another attack on Sony – this time against music codes, coupons and customer information – LulzSec turned its attention to Infragard, a subsidiary of the FBI. They took it offline, which drew more attention to their hacking hype. But the leader of the group, who called himself Sabu, forgot to use the Tor system to cloak himself. That mistake landed him on the FBI’s radar.
When he was caught by the FBI and his true identity was revealed, Hector Xavier Monsegur, aka “Sabu,” decided he would turn informant and help the FBI catch LulzSec – possibly hoping for a reduced sentence that would settle the matter for him would facilitate two young nieces for whom he was legal guardian. Over the next few years, Monsegur helped the FBI stop over 300 cyberattacks.
Hackers as vigilantes
While the FBI monitored and negotiated with Monsegur, LulzSec launched a series of other attacks leading up to the first public arrest on June 21, 2011. These attacks included leaking the passwords of over 25,000 people who accessed at least one of 55 pornographic websites, staging a denial of service attack on gaming websites, and taking the CIA website offline for three hours. The group also won a contest in which a cybersecurity firm offered $10,000 to anyone who could hack into the firm’s website and change an image.
While several of these attacks are clearly malicious, LulzSec also reported to the UK’s National Health Service (NHS) around the same time that there was a vulnerability. I stopped for a minute when I learned that they had written that they were not going to publicly shame the vulnerability or release any information about the vulnerability, but instead wanted to help the NHS become safer. Whether out of a true moral compass or simply for PR purposes, LulzSec positioned itself as a “vigilante,” deciding for itself which groups deserved compassion and which deserved ridicule and harm.
This approach continued with the group’s participation in the June 20 launch of Operation Anti-Security, mobilizing its supporters to hack and expose government and financial information. Publicly, the movement has been positioned as a “revolution” seeking to expose corruption, but in practice, attacks under this grand umbrella often created real victims, with real personal and financial consequences.
The end of LulzSec
LulzSec’s ending was a bit anticlimactic, especially compared to her publicly derisive messages and exceptionally active Twitter account. Several LulzSec hackers were arrested and charged in 2013. In total, their attacks lasted eight months in 2011. The group also publicly disbanded in mid-June 2011, citing boredom as the reason.
In true LulzSec fashion, they announced their departure in a lengthy tweet – their 1,000th. – and shared their reasons and thoughts. They strongly denied that the breakup was related to law enforcement, but there’s no denying that it came after mounting legal troubles for the group, which is believed to have possessed large amounts of sensitive and illegally obtained data when it shut down .
What did LulzSec mean for cybersecurity?
Now that I fully understood what happened and why it happened, I wanted to understand how the group’s 50 Days of Luls transformed both cyberattacks and cybersecurity. Reading many articles written both during the attacks and in the aftermath, the overarching theme has been LulzSec’s impact on “hacktivism,” or hacking for purposes beyond just monetary gain. The group’s public face and active Twitter account made it one of the most well-known hacking organizations at the time, and its sometimes confusing motivations required attention and vigilance from cybersecurity professionals.
In an article published in October 2011, Peter Coroneos, then head of the Internet Industry Association (IIA), and IBRS consultant and security expert James Turner discussed the influence and impact of LulzSec. I found Coroneos’ description of LulzSec as a return to the motivation of showing off and a “we do it because we can” era to be particularly apt. I also found his comment on the lack of predictability very interesting.
“Because there’s no predictability – maybe that’s part of their point – there’s the idea that they can hit anyone at any time for any reason,” Coroneos said. “That seems to be what they’re actually trying to show: that they’re not limited to one ideology or cause.”
A complex effect
In the end, Turner’s outright condemnation of the LulzSec attacks as “stupid, flimsy vandalism” in the CSO article feels right. And I might have LOLed (pun intended) at his description of “teenagers breaking windows in an abandoned warehouse”. Because breaking the law is still breaking the law, even if you’re protesting something, as hacktivist groups proclaim.
The fact that LulzSec’s stated motivations and chosen goals were often so broad made it difficult for many in the industry to believe they were acting with a clear moral or philosophical goal. It also explains why it can be difficult to clearly pinpoint LulzSec’s impact on the cybersecurity industry. The public and flamboyant nature of these particular attacks certainly drew attention, but the interpretation of the attacks is left to the individual observer.